Could We Finally Have a Secure IoT, Courtesy of the NSA?

Most data is in motion and needs to be protected at the source. Here’s how Apache NiFi might help.

When it comes to security, the IoT doesn’t have the greatest track record. Perhaps most notably and recently, a large volume of IoT devices were hacked to form a botnet and launch a massive DDoS attack. Even when we accept that many of the most critical vulnerabilities are with consumer-level devices—enterprises tend to have, at the very least, an active role in the security of their internal systems. That role was clear in a recent webinar featuring The Bloor Group and Hewlett-Packard Enterprise: “Security needs to be designed in from the get-go.”

Reiner Kappenberger, who works in global product management for Hewlett Packard Enterprise (HPE), points out that most companies are using Hadoop for their data lakes, but he also acknowledges that Hadoop is rather difficult to protect. Why? The platform is experiencing rapid innovation from a well-funded, open-source community, and rapid innovation can lead to security issues. On top of that, Hadoop needs to ingest data from disparate sources with different protection needs.

This creates a system with a potential security flaw at each layer—at the filesystem, at the ingestion point, and so on. Reiner says, “You can restrict the administrator from seeing actual live data, but have you really protected it? Where is the malware today? It’s sitting on SQL injection. You can only protect a certain layer, and downward.” Even enterprises with top-tier security, like firewalls and encryption, need to discover new strategies for securing IoT devices.

Reiner adds: “If you’re in enterprise, you already understand how difficult it can be to secure your email on a user’s phone. Compared to the IoT device, that’s a complete unknown today.”

Devil in the devices: IoT standards

Part of this unknown is because of the lack of standardization when it comes to IoT security and protocols. Every manufacturer is reinventing the wheel, which makes practical applications, such as connected cars actually “speaking” to one another, incredibly difficult. On top of that, IoT hardware is constantly turning over, but both consumers and enterprises won’t jump at the opportunity to spend more when their existing hardware is working fine. Would you buy a new wireless router for your home, just because a new model has a nicer design? Probably not, Reiner argues, and if manufacturers won’t support older hardware, security is going to be a long-term issue.

Apache NiFi and IoT security

Luckily, some new solutions are becoming available that might open the way for enterprises to take a security-minded approach to not only the IoT implementation, but also the data lakes and analytical structures that help store and make sense of the data. Apache NiFi, developed by the NSA, is one of those options. By using NiFi, Internet of Things deployments can protect sensitive information before it even goes downstream. Reiner gives the example of a cell tower with an IoT device to send data back to a data lake—with NiFi, that data can be protected directly from the source.

This is important when it comes to moving sensitive personal information across the wire. Reiner gives another example: monitoring the blood pressure numbers from a delivery driver isn’t particularly sensitive information on its own, because it’s inherently anonymized. But if an enterprise decides to take that number and associate an employee ID with it, all of a sudden they’re dealing with HIPAA, which is a far more complex regulatory picture.

Pulling that data out of the data lake in a way that’s compliant, secure, and fast is a completely different matter, but also one that can rely on NiFi technology. Dr. Robin Bloor, the chief analyst for The Bloor Group, argues that the IoT industry needs to consider that most data is “in motion,” if not all of it.

“If it’s not on disk, it’s in motion, whether it’s moving along a wire, or sitting in memory somewhere. It can be in motion in a fraction of a second.”

Because a good deal of new data is now being sourced from outside the business, people need to be aware of special considerations, such as the governance of data, its provenance, and whether it’s been exposed or not—has it been encrypted from the source? Bloor says, “You need to know where data came from, and you need to be sure you know where data came from.”

By pulling these two halves of the equation together—the collection and digestion of data, plus some best practices about the data lake—both Bloor and Reiner argue that NiFi could represent a new, high-security future for IoT implementations.

If companies can get over the fact that it was created by the NSA, that is.